News:

cpg1.5.46 Security release - upgrade mandatory!The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.[more]

A XSS vulnerability has been found in the language selector. Everybody who runs coppermine (any version older than cpg1.3.5) will have to apply this security fix as soon as possible.

We have released a brand new package of the stable branch (cpg1.3.x) named "cpg1.3.5" that contains the above mentioned fix, plus some fixes of minor issues: Download cpg1.3.5.The vulnerability existed in the devel code (cpg1.4.x) as well, that's why users who are testing the devel version are strongly encouraged to update their version as well (doing a CVS checkout).

Experienced users who don't want to do the upgrade (because their coppermine install is heavily modified) can apply the fix manually as well (instead of doing the recommended upgrade to cpg1.3.5).

I am running version 134. Can I just extract the init.inc.php from the zip file you posted and upload it to my include folder?I am not that comfortable adding the code myself, but I also don't want to lose the changes I have now.

as suggested above: there are a number of other minor fixes as well, so the recommended way would be to overwrite all coppermine core files with the ones from the package - please refer to the upgrade instructions that come with the package. However, if you feel like this is too much for you, you could just replace the file include/init.inc.php to just address the particular vulerability that caused the maintenance release.

//Sanitize the data - to fix the XSS vulnerability - Aditya foreach ($iptc as $key=>$data) { $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:}You have to remove it now manually if you upgrade from 1.3.3 with this fix:http://forum.coppermine-gallery.net/index.php?topic=20933.0

========================Step 1.First of all!I removed/cpg133/lang//cpg134/lang//cpg135/lang/dirs before patching, as it:- becomes to big- there is problems with patching in Japan (etc. country) languages.- you can update lang files manually

========================Step 7.Update your/coppermine/lang/dir with necessary files.For example I use only Eng, Ger, Rus.

##############################!!! READ THIS ONE !!!##############################During patch process you will (can) see two main information strings:--> Hunk #3 succeeded at 216.--> Hunk #1 failed at 1.

Example below.Word "succeeded" means that there is no problems with patching of that part of code.Word "failed" means there was some problem.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"below for example it is "zipdownload.php.rej"and look what the patch couldn't change and fix that manually.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

- If you have not already done so, create a folder called "edit" within your "albums" directory - this folder will be used by coppermine as a temporary folder, do not ftp-upload files there. Make sure the new "edit"-folder is CHMODed the same way your albums-directory is (755 or 777, depending on your server's config) - Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php). This will update your coppermine install by making all necessary changes in the database.

Taken from:/cpg135/docs/index.htm#133.4 Upgrading from cpg1.2.0rc2 or better to version cpg1.3.5

above posting by Makc666 does not decribe the upgrade procedures suggested by the coppermine dev team - it's just Makc666's idea how to do things. Some of the steps he outlines are just plain wrong in my opinion. Although we welcome user contributions, I disagree with posting something that looks like a detailed readme/howto. Makc666 failed to say why in his opinion the upgrade steps should be altered in the way he describes. In the future, please post why you think something's wrong with our suggested upgrade instructions instead of boldly posting a guide of your own.

My patch files are for those people who have a lot of MODES installed in their galleries.So they have only to apply my patch with out any new files upload.This system is 100% the same as patch files for phpBB 2.x forum which is used there.I didn't say that you upgrade instructions is bad. But they only sutable for galleries with out any modifications.Thanks for your reply.P.S. I just try to help people who know what I am posting.

Though I dont know much about php programming, I did apply this fix to my coppermine installation and my pages also seem to be loading faster. Just thought I would throw that in.

Quick note: "Thanks a lot for all the help provided here, Ive always found answers within minutes when I had problems with configuration, layout, etc...Ive used coppermine on four different websites so far and I find out something new every time. Ive not yet seen a better photo gallery"

OK not sure tho,was in my fantastico noticed update for coppermine, so I proceeded with update maint fix, one thing im a back-up freak "thank God"when I went to my gallery noticed it had changed the igames template back to original state,I had modded the menu and added a homepage link to my site.now it wasn't even a big fix for me to revert it back by adding the 4 lines of code in english.php and igames/theme.php that I had revised in previous version.. Thought I just let others know, now I just made my own theme folder using igames theme and created new lang/english.php file and in the admin panel pointed to the new directory and edited styles.css ,template.html ,theme.php to point to new directory..That is what i get for being lazy in first place,but I was fortunate that I had not heavily modded the Igames theme....

P.S.B.T.W. Best PhotoGallery in the World by far , Keep it coming, you guys are great and I appreciate all your time and hard work!!!